This tutorial will describe manually unpacking last Yoda Protector version 1.03.3. Tutorial will focus on main yP problem, running protected file under debugger.
Hi, friends and welcome to new unpacking tutorial. As I sad, yP 1.03.3 is last yoda protector version and author has decided to stop project. He is planing to start new one. I have already wrote tutorial for unpacking 1.03.2beta vesion, which is prety indentical as this one, but that tutorial didn't described how to run protected file under debugger. This tutorial will show how anti-debug tricks can be easy avoided and bypassed.
This tutorial will not go in details because there is no need for that. Rebuilding imports is very easy and that is all we need to do after we reach OEP.
Yoda Protector is based on Yoda's Cryptor frame, only that new tricks are added from time to time. Old tricks are PE header erasing (which is pointless), CRC checking (code and file), IsDebuggerPresent check, API redirecting and destroying import information. This old tricks are already described in my tutorial about ExeStealth v2.74a (this protector is just rip of yoda). New tricks are terminating Olly and possible freesing Windows XP.
Let's see how Olly is killed. Protector is using combination of API's to get PID number of all running processes. Then it search for process that started (ollydbg in our case) and terminate it. It compares PID of that process with it's own PID. If those PID's are not same (ei. exe is started trough olly) it will terminate that process.
Second trick is more annoying. Protector will use BlockInput API before any other check. That API blocks input devices (mouse, keyboard, etc..) so we are blocked from our system. Then protector will do other checks and decrypting. If in meantime protector stops on some exception or Olly is found , our system will wait for us to take action but we cannot do nothing except restart windows. If everything is passed fine, protector will again use BlockInput API to unblock input devices. Pretty smart trick.
2. Reaching OEP
OK, time to unpack target. Grab crackme and load it in Olly. In olly , ignore all exceptions then set in Events to "Break on new module (DLL)". We need to break on user32.dll loading in order to intercept BlockInput API. Then press F9 untill you see that User32.dll is loaded:
After that we can uncheck option for breaking on new module. Now we need just to patch BlockInput API so it doesn't block devices. Simply select, "go to, expression" and enter BlockInput. Ok and we land in user32.dll on that API (this looks on my system):
We have killed this api and with that we avoid blocking devices, but we need to prevent Olly killing. There is similar simple solution for that. Yoda uses CreateToolhelp32Snapshot to get all processes and couple others to walk trough all processes. But it uses GetCurrentProcessId to get PID of itself. Then yoda will check is process who started it has same PID as itself (ei. did protected file started trough some debugger or not) and if not, it will terminate that process. We can do next to prevent killing Olly:
- Open LordPE and get PID of OllyDbg.exe. Mine is 478.
- "Go to , expression", enter GetCurrentProcessId and click ok. You are in API:
And that's it! Now we need use plugin to hide Olly from IsDebugerPresent check and run (remember bp on BlockInput). We will stop two times on bp on patched BlockInput API. Then we open "Memory Map" window and place memory bp on access on first section and run. OEP is reached: